freeipa

Contents

freeipa

About

FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools.

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments. A FreeIPA server provides centralized authentication, authorization and account information by storing data about user, groups, hosts and other objects necessary to manage the security aspects of a network of computers.

FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.

Multiple FreeIPA servers can easily be configured in a FreeIPA Domain in order to provide redundancy and scalability. The 389 Directory Server is the main data store and provides a full multi-master LDAPv3 directory infrastructure. Single-Sign-on authentication is provided via the MIT Kerberos KDC. Authentication capabilities are augmented by an integrated Certificate Authority based on the Dogtag project. Optionally Domain Names can be managed using the integrated ISC Bind server.

Security aspects related to access control, delegation of administration tasks and other network administration tasks can be fully centralized and managed via the Web UI or the ipa Command Line tool.

Provides

Identity (machine, user, virtual machines, groups, authentication credentials)
Policy (host based access control)
Audit (this component is deferred)

What can FreeIPA do for you

### WIP

For some internal zones we're using isc-dhcp-server to dynamically update the isc-bind9 forward and reverse resource records. The ipa-client can update these records (A, AAAA, PTR, PTR6), even adds the SSHFP record (for easy ssh hostkey checking), while being authenticated via GSSAPI/Kerberos.

FreeIPA adds a feature rich graphical frontend to bind. This is a feature i only knew from PowerDNS via its API.

Prerequisites

2-3 RHEL/Fedora/CentOS VMs (Debian is also possible)
- Generally it is recommended to have at least 2-3 replicas in each datacenter. There should be at least one replica in each datacenter with additional FreeIPA services like PKI or DNS if used. Note that it is not recommended to have more than 4 replication agreements per replica.
- This are a security device and should enforce the usage of
  Mandatory Access Control (MAC) based on SELinux by default, which is supported best on RHEL, Fedora or CentOS. For a discussion of which RHEL-based distribution to chose, please see Fedora vs. CentOS vs. RHEL.
- This VMs are only for FreeIPA. For reasons of Performance, Stabilty, Security, Maintainability, Upgradablity, …
- Hardware
  - A basic user entry or a simple host entry with a certificate is approximately 5-10 kB in size.
  - For 10,000 users and 100 groups: at least 3 GB of RAM and 1 GB swap space
  - For 100,000 users and 50,000 groups: at least 16 GB of RAM and 4 GB of swap space.
Kerberos Realm Name
- that does not currently and
  will in future not collide with any other REALM like "IPA.ROCKSTABLE.IT".
Some DNS-Records
- TXT record for Kerberos-REALM
- SRV records for discovery of the FreeIPA by the clients

Installation

Prepare VM with RHEL-based#CentOS_Stream-1

Red Hat Customer Portal - Installing packages required for an IdM server

dnf module enable idm:DL1

   1 Last metadata expiration check: 1:00:31 ago on Tue 22 Sep 2020 07:33:55 PM CEST.
   2 Dependencies resolved.
   3 ================================================================================
   4  Package           Architecture     Version             Repository         Size
   5 ================================================================================
   6 Enabling module streams:
   7                                 
   8  389-ds                             1.4
   9  httpd                              2.4
  10  idm                                DL1
  11  pki-core                           10.6
  12  pki-deps                           10.6
  13 Transaction Summary
  14 ================================================================================
  15 
  16 Is this ok [y/N]: y
  17 Complete!

Change to the new packages provided by the new module dnf distro-sync

   1 Last metadata expiration check: 1:08:11 ago on Tue 22 Sep 2020 07:33:55 PM CEST.
   2 Dependencies resolved.
   3 Nothing to do.
   4 Complete!

Install the idm module

   1 dnf module install idm:DL1/{client,dns,server}

Configure

Configure an IPA server

   1 # ipa-server-install
   2 …
   3 The ipa-client-install command was successful
   4 
   5 Please add records in this file to your DNS system: /tmp/ipa.system.records.4ykg3ahr.db
   6 ==============================================================================
   7 Setup complete
   8 
   9 Next steps:
  10         1. You must make sure these network ports are open:
  11                 TCP Ports:
  12                   * 80, 443: HTTP/HTTPS
  13                   * 389, 636: LDAP/LDAPS
  14                   * 88, 464: kerberos
  15                 UDP Ports:
  16                   * 88, 464: kerberos
  17                   * 123: ntp
  18 
  19         2. You can now obtain a kerberos ticket using the command: 'kinit admin'
  20            This ticket will allow you to use the IPA tools (e.g., ipa user-add)
  21            and the web user interface.
  22 
  23 Be sure to back up the CA certificates stored in /root/cacert.p12
  24 These files are required to create replicas. The password for these
  25 files is the Directory Manager password
  26 The ipa-server-install command was successful
  27 ipa-server-install  40.05s user 5.05s system 4% cpu 15:06.50 total

There is a install log /var/log/ipaserver-install.log

column -t /tmp/ipa.system.records.4ykg3ahr.db

   1 _kerberos-master._tcp.2a.rockstable.it.  86400  IN  SRV  0  100  88   ipa2.2a.rockstable.it.
   2 _kerberos-master._udp.2a.rockstable.it.  86400  IN  SRV  0  100  88   ipa2.2a.rockstable.it.
   3 _kerberos.2a.rockstable.it.              86400  IN  TXT               "ROCKSTABLE.IT"
   4 _kerberos._tcp.2a.rockstable.it.         86400  IN  SRV  0  100  88   ipa2.2a.rockstable.it.
   5 _kerberos._udp.2a.rockstable.it.         86400  IN  SRV  0  100  88   ipa2.2a.rockstable.it.
   6 _kpasswd._tcp.2a.rockstable.it.          86400  IN  SRV  0  100  464  ipa2.2a.rockstable.it.
   7 _kpasswd._udp.2a.rockstable.it.          86400  IN  SRV  0  100  464  ipa2.2a.rockstable.it.
   8 _ldap._tcp.2a.rockstable.it.             86400  IN  SRV  0  100  389  ipa2.2a.rockstable.it.
   9 ipa-ca.2a.rockstable.it.                 86400  IN  A                 172.18.128.7

Now

If necessary, create the DNS#SRV Kerberos records.
Open the firewall on the host for freeipa
please see Firewalld

First Access

It is much preferable to have direct access to the web-service by simple routing, VPN or a remote terminal-server.

I chose the terminal-server option.

The web-server redirects instantly to https, which is a privileged port < 1024 and uses the server hostname. So if you need to have access via ssh-tunnel, it's getting interesting.

Defeating the firewall

Shutdown any webservers on the interface and port (tcp/443), because ssh will later bind to it.

   1 netstat -tulpen |grep ':443\s'
   2 sysmtemctl stop apache2.service

Alter local DNS resolution by mapping the target domain name to 127.0.0.1. (Maybe there is a browser plugin for this purpose,) but i haven't found it.

/etc/hosts

   1 127.0.0.1 ipa2.2a.rockstable.it ipa2

Some notes

This works in my setup, because i use a JumpHost and the target is resolved there. But to make the Website work, you may first need to connect to the name and later

enable the hosts-entry or
create a host entry in your ~/.ssh/config with the ip address or
even simpler just use the ip-address as target in the ssh command instead.

With sudo

Configure JumpHost in root ssh-config, because all cli options are for the target. /root/.ssh/config

   1 host    kvm2.rockstable.org kvm2
   2         user            tobias
   3         IdentityFile    /home/tobias/.ssh/id_rsa

Connect via ssh

   1 sudo -- ssh -J kvm2 \
   2         -L 443:localhost:443 \
   3         ipa2.2a.rockstable.it

And visit https://localhost/

With authbind

Install authbind

   1 apt install authbind

Configure authbind (the file must be executable for the user) {{{!highlight bash sudo -- install -u tobias -g root -m 700 \

/dev/null \ /etc/authbind/byport/443

}}}

For other options please see man authbind

Connect via ssh

   1 authbind -- ssh -J kvm2 \
   2         -L 443:localhost:443 \
   3         ipa2.2a.rockstable.it

And visit https://localhost/

Trouble Shooting

   1 root@ipa2 ~ # ipa-server-install --setup-dns
   2 
   3 The IPA server requires an administrative user, named 'admin'.
   4 This user is a regular system account used for IPA server administration.
   5                                                          
   6 IPA admin password:                                      
   7 Password must not contain control characters
   8 IPA admin password:                                          
   9 Password (confirm):                               
  10                                                            
  11 Checking DNS domain 2a.rockstable.it., please wait ...                 
  12 DNS zone 2a.rockstable.it. already exists in DNS and is handled by server(s): ['ns4.rockstable.org.', 'ns3.rockstable.org.']
  13 The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

In this case the option --allow-zone-overlap may help. Allow creation of (reverse) zone even if the zone is already resolvable. Using this option is discouraged as it result in later problems with domain name resolution.

Manage from CLI

Get a ticket

   1 root@ipa2 ~ # ipa
   2 ipa: ERROR: did not receive Kerberos credentials
   3 1 root@ipa2 ~ # kinit tobias
   4 Password for tobias@ROCKSTABLE.IT: 
   5 root@ipa2 ~ # ipa 
   6 Usage: ipa [global-options] COMMAND [command-options]
   7 
   8 Manage an IPA domain
   9 
  10 Options:
  11   --version          show program's version number and exit
  12   -h, --help         Show this help message and exit
  13   -e KEY=VAL         Set environment variable KEY to VAL
  14   -c FILE            Load configuration from FILE.
  15   -d, --debug        Produce full debuging output
  16   --delegate         Delegate the TGT to the IPA server
  17   -v, --verbose      Produce more verbose output. A second -v displays the
  18                      XML-RPC request
  19   -a, --prompt-all   Prompt for ALL values (even if optional)
  20   -n, --no-prompt    Prompt for NO values (even if required)
  21   -f, --no-fallback  Only use the server configured in /etc/ipa/default.conf
  22 
  23 See "ipa help topics" for available help topics.
  24 See "ipa help <TOPIC>" for more information on a specific topic.
  25 See "ipa help commands" for the full list of commands.
  26 See "ipa <COMMAND> --help" for more information on a specific command.
  27 
  28 Error: Command not specified

With the ticket you may now also take a look into the database.

   1 ldapsearch objectclass=\*| vim -

Bind backend

In FreeIPA named is compiled to read config from /etc/named.conf

   1 options {
   2         // turns on IPv6 for port 53, IPv4 is on by default for all ifaces
   3         listen-on-v6 {any;};
   4 
   5         // Put files that named is allowed to write in the data/ directory:
   6         directory "/var/named"; // the default
   7         dump-file               "data/cache_dump.db";
   8         statistics-file         "data/named_stats.txt";
   9         memstatistics-file      "data/named_mem_stats.txt";
  10 
  11         // If not explicitly set, the ACLs for "allow-query-cache" and
  12         // "allow-recursion" are set to "localnets; localhost;".
  13         // If either "allow-query-cache" or "allow-recursion" is set,
  14         // the other would be set the same value.
  15         // Please refer to /etc/named/ipa-ext.conf
  16         // for more informations
  17 
  18         tkey-gssapi-keytab "/etc/named.keytab";
  19         pid-file "/run/named/named.pid";
  20 
  21         dnssec-enable yes;
  22         dnssec-validation yes;
  23 
  24         /* Path to ISC DLV key */
  25         bindkeys-file "/etc/named.iscdlv.key";
  26 
  27         managed-keys-directory "/var/named/dynamic";
  28 
  29         /* crypto policy snippet on platforms with system-wide policy. */
  30         // not available
  31 };
  32 
  33 /* If you want to enable debugging, eg. using the 'rndc trace' command,
  34  * By default, SELinux policy does not allow named to modify the /var/named directory,
  35  * so put the default debug log file in data/ :
  36  */
  37 logging {
  38         channel default_debug {
  39                 file "data/named.run";
  40                 severity dynamic;
  41                 print-time yes;
  42         };
  43 };
  44 
  45 zone "." IN {
  46         type hint;
  47         file "named.ca";
  48 };
  49 
  50 include "/etc/named.rfc1912.zones";
  51 include "/etc/named.root.key";
  52 
  53 /* custom configuration snippet */
  54 include "/etc/named/ipa-ext.conf";
  55 
  56 /* WARNING: This part of the config file is IPA-managed.
  57  * Modifications may break IPA setup or upgrades.
  58  */
  59 dyndb "ipa" "/usr/lib64/bind/ldap.so" {
  60         uri "ldapi://%2fvar%2frun%2fslapd-ROCKSTABLE-IT.socket";
  61         base "cn=dns, dc=rockstable,dc=it";
  62         server_id "ipa2.2a.rockstable.it";
  63         auth_method "sasl";
  64         sasl_mech "GSSAPI";
  65         sasl_user "DNS/ipa2.2a.rockstable.it";
  66 };
  67 /* End of IPA-managed part. */

It uses the LDAP back-end plug-in for BIND to load configuration and zones from 389-ds. This is remarkable.

There is also a file for user-provided custom configuration
/etc/named/ipa-ext.conf

   1 // Custom managed file.
   2 // Here you can set your own options, for instance ACL for recursion access:
   3 //
   4 // acl "trusted_network" {
   5 //   localnets;
   6 //   localhost;
   7 //   234.234.234.0/24;
   8 //   2001::co:ffee:babe:1/48;
   9 // };
  10 // options {
  11 //   allow-recursion {trusted_network;};
  12 //   allow-query-cache {trusted_network;};
  13 // };
  14 //
  15 // This file will NOT be overridden during updates!

Zone transfer

The idea:

Leave the master role to freeipa
Synchronize secondary servers to master, which have generally an earlier or higher availability.
Forward dynamic zone updates, that are sent to the slave (e.g. from isc-dhcp-server), to the master.

This ensures operation if the master has gone away or is not available, yet.

SOA serial format

According to FreeIPA V3/DNS SOA serial auto-incrementation the format of the serial is

a unix timestamp or
a number larger than the timestamp (to be incremented by 1 each time)

Until Mai 2033 the typical YYYYMMDDNN serial is bigger than the unix timestamp. That's why these kind of serials should not be used, because the serial is not parsed and therefore the date is not refreshed. Using the timestamp this information is not lost.

So if your zone was formerly using this serials you need to set it lower than the unix timestamp in freeipa on the slave or nothing happens.

Zone transfer with TSIG (keybased)

To create a TSIG key please see bind9#dnssec-keygen_-_TSIG and return back here.

FreeIPA has no support for TSIG keys in the webfrontend. Howto/DNS updates and zone transfers with TSIG

On the master (FreeIPA) the custom configuration snippet may be used to insert the key.
/etc/named/ipa-ext.conf

   1 // Custom managed file.                                                                                                                           
   2 // Here you can set your own options, for instance ACL for recursion access:                                                                      
   3 //                                                                                                                                                
   4 // acl "trusted_network" {                                                                                                                        
   5 //   localnets;                                                                                                                                   
   6 //   localhost;                                                                                                                                   
   7 //   234.234.234.0/24;                                                                                                                            
   8 //   2001::co:ffee:babe:1/48;                                                                                                                     
   9 // };                                                                                                                                             
  10 // options {                                                                                                                                      
  11 //   allow-recursion {trusted_network;};                                                                                                          
  12 //   allow-query-cache {trusted_network;};                                                                                                        
  13 // };                                                                                                                                             
  14 //                                                                                                                                                
  15 // This file will NOT be overridden during updates!  
  16 
  17 // KEY THE BIND9 (SLAVE) ON KVM2 USES TO FETCH THE ZONE
  18 key "kvm2_rockstable_org" {
  19         algorithm hmac-sha512;
  20         secret "FO07a2PRNLWVH0H8Thb4JyO/4WqJQio44jyclTrWLoc4gdKrosnBWIJlx/1Ss+EjhcFSJ5og4krZHmQ+eGT/FQ==";
  21 };
  22 
  23 // KEY THE DHCP-SERVER USES TO UPDATE THE ZONE (FORWARED BY KVM2)
  24 key DHCP_UPDATER {
  25         algorithm       HMAC-SHA512;
  26         secret          "KeyExtractedFromPrivateFile==";
  27 };

You may not specify a TSIG key in the webfrontend form for AllowTransfer, the value is validated to be a IPv4/6 address. :-| We have to set it directly in ldap. The WebUI still fetches the value from ldap, displays it and complains on save. So this has to be done ever and ever again. :-/

   1 ### ACQUIRE TGT
   2 kinit admin
   3 ### TAKE A LOOK
   4 ldapsearch -Y GSSAPI -b "cn=dns,dc=rockstable,dc=it" -s one "(objectclass=*)"
   5 ### ALLOW THE KEY
   6 ldapmodify -Y GSSAPI << EOF
   7 dn: idnsname=2a.rockstable.it.,cn=dns,dc=rockstable,dc=it
   8 changetype: modify
   9 replace: idnsAllowTransfer
  10 idnsAllowTransfer: key "kvm2_rockstable_org";
  11 -
  12 EOF
  13 SASL/GSSAPI authentication started
  14 SASL username: admin@ROCKSTABLE.IT
  15 SASL SSF: 256
  16 SASL data security layer installed.
  17 modifying entry "idnsname=2a.rockstable.it.,cn=dns,dc=rockstable,dc=it"

On the slave (simple bind9), the key is inserted in
/etc/bind/named.conf.auth

   1 key "kvm2_rockstable_org" {
   2         algorithm hmac-sha512;
   3         secret "FO07a2PRNLWVH0H8Thb4JyO/4WqJQio44jyclTrWLoc4gdKrosnBWIJlx/1Ss+EjhcFSJ5og4krZHmQ+eGT/FQ==";
   4 };
   5 
   6 masters masters_ipa_rockstable_it port 53 {
   7         172.18.128.7 port 53 key kvm2_rockstable_org;
   8 };

On the slave configure the (former master) zone as a slave in
/etc/bind/named.conf.local

   1         // 2a: INTRANET DMZ; LEVEL 2; ACCESS                                                                                                      
   2         zone "2a.rockstable.it" {                                                                                                                 
   3                 type                    slave;                                                                                                    
   4                 // ZONE OF TYPE "slave" MUST HAVE "masters"                                                                                    
   5                 masters                 { masters_ipa_rockstable_it; };
   6                 masterfile-format       text;                                   # (text|raw)                                                      
   7                 file                    "/var/lib/bind/zones/db.it.rockstable.2a";                                                                
   8                 journal                 "/var/lib/bind/journal/db.it.rockstable.2a.jnl";        # string ;                                        
   9                 allow-query             { localhost; kvm2_nets_int; };          # { address_match_list };                                         
  10                 allow-query-on          { localhost; kvm2_ifaces_int; };        # { address_match_list };                                         
  11                 allow-update-forwarding { localhost; kvm2_nets_int; };          # { address_match_element; ... };                                 
  12                 check-names             warn;                                   # (warn|fail|ignore) ;                                            
  13                 notify                  yes;                                    # yes_or_no | explicit | master-only ;                            
  14                 zone-statistics         yes;                                    # yes_or_no ;                                                     
  15         };

Check the configuration on both nodes with named-checkconf!

Check if the firewall is opened between primary and secondary!

   1 ### SLAVE
   2 nc -vznw3 172.18.128.7 53
   3 Connection to 172.18.128.7 53 port [tcp/*] succeeded!
   4 ### MASTER (THIS WAS ON CENTOS)
   5 nc -vznw3 172.18.128.1 53
   6 Ncat: Version 7.70 ( https://nmap.org/ncat )
   7 Ncat: Connected to 172.18.128.1:53.
   8 Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.

Open the logs.

Migration

   1 systemctl restart bind9.service
   2 rndc retransfer 2a.rockstable.it in internal

Check the logs!

Add a NS-record to the master zone for the new slave server, to ensure it is notified on changes.

The slave forwards dynamic update requests to the master with allow-update-forwarding. To allow dynamic updates add a "Update Policy" to the zone in the FreeIPA WebUI.

   1 grant DHCP_UPDATER zonesub ANY;

Enroll clients

Preparation

Make sure you have

deployed all the DNS-records for autodiscovery.
- This is importtant to get failover working correctly.
opened the firewall, so the client can communicate with the server.

Install

And gather the info you need during installation

Key	Value
Kerberos Realm	`ROCKSTABLE.IT`
Kerberos Server	`ipa2.2a.rockstable.it`
Kerberos Administration Server	`ipa2.2a.rockstable.it`

Install the client

   1 apt install freeipa-client

Key	Value
IPA domain name	`2a.rockstable.it`
IPA server name	`ipa2.2a.rockstable.it`
Enrollment Username	`tobias`
Enrollment Password	`__very_long_password__`

Enroll the client (with fixed values)

   1 ipa-client-install
   2 This program will set up FreeIPA client.
   3 Version 4.7.2
   4 
   5 WARNING: conflicting time&date synchronization service 'ntp' will be disabled
   6 in favor of chronyd
   7 
   8 DNS discovery failed to determine your DNS domain
   9 Provide the domain name of your IPA server (ex: example.com): 2a.rockstable.it
  10 Provide your IPA server name (ex: ipa.example.com): ipa2.2a.rockstable.it
  11 The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.
  12 Autodiscovery of servers for failover cannot work with this configuration.
  13 If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
  14 Proceed with fixed values and no DNS discovery? [no]: yes
  15 Client hostname: secl.2a.rockstable.it
  16 Realm: ROCKSTABLE.IT
  17 DNS Domain: 2a.rockstable.it
  18 IPA Server: ipa2.2a.rockstable.it
  19 BaseDN: dc=rockstable,dc=it
  20 
  21 Continue to configure the system with these values? [no]: yes
  22 Synchronizing time
  23 No SRV records of NTP servers found and no NTP server or pool address was provided.
  24 Using default chrony configuration.
  25 Attempting to sync time with chronyc.
  26 Time synchronization was successful.
  27 User authorized to enroll computers: tobias
  28 Password for tobias@ROCKSTABLE.IT: 
  29 Successfully retrieved CA cert
  30     Subject:     CN=Certificate Authority,O=ROCKSTABLE.IT
  31     Issuer:      CN=Certificate Authority,O=ROCKSTABLE.IT
  32     Valid From:  2020-09-24 11:52:29
  33     Valid Until: 2040-09-24 11:52:29
  34 
  35 Enrolled in IPA realm ROCKSTABLE.IT
  36 Created /etc/ipa/default.conf
  37 Configured sudoers in /etc/nsswitch.conf
  38 Configured /etc/sssd/sssd.conf
  39 Configured /etc/krb5.conf for IPA realm ROCKSTABLE.IT
  40 Systemwide CA database updated.
  41 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
  42 Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
  43 Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
  44 Could not update DNS SSHFP records.
  45 SSSD enabled
  46 Configured /etc/openldap/ldap.conf
  47 Configured /etc/ssh/ssh_config
  48 Configured /etc/ssh/sshd_config
  49 Configuring 2a.rockstable.it as NIS domain.
  50 Client configuration complete.
  51 The ipa-client-install command was successful

Some errors related to NTP and DNS, probably due to my legendary and conflicting DNS-setup.

Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
The installer was not able to update the SSHFP records in my setup.
No SRV-records for NTP

The freeipa-client-installer may pick not a hostname you want. There are some nice effects in combination with NetworkManager, /etc/network/interfaces and multiple interfaces.

Changed the client nameservers in /etc/resolv.conf to point to the FreeIPA-server.

And tried again.

   1 root@secl /etc # ipa-client-install --hostname="secl.2a.rockstable.it" --force-join
   2 This program will set up FreeIPA client.
   3 Version 4.7.2
   4 
   5 WARNING: conflicting time&date synchronization service 'ntp' will be disabled
   6 in favor of chronyd
   7 
   8 Discovery was successful!
   9 Client hostname: secl.2a.rockstable.it
  10 Realm: ROCKSTABLE.IT
  11 DNS Domain: 2a.rockstable.it
  12 IPA Server: ipa2.2a.rockstable.it
  13 BaseDN: dc=rockstable,dc=it
  14 
  15 Continue to configure the system with these values? [no]: yes
  16 Synchronizing time
  17 No SRV records of NTP servers found and no NTP server or pool address was provided.
  18 Using default chrony configuration.
  19 Attempting to sync time with chronyc.
  20 Time synchronization was successful.
  21 User authorized to enroll computers: tobias
  22 Password for tobias@ROCKSTABLE.IT:
  23 Successfully retrieved CA cert
  24     Subject:     CN=Certificate Authority,O=ROCKSTABLE.IT
  25     Issuer:      CN=Certificate Authority,O=ROCKSTABLE.IT
  26     Valid From:  2020-09-24 11:52:29
  27     Valid Until: 2040-09-24 11:52:29
  28 
  29 Enrolled in IPA realm ROCKSTABLE.IT
  30 Created /etc/ipa/default.conf
  31 Configured sudoers in /etc/nsswitch.conf
  32 Configured /etc/sssd/sssd.conf
  33 Configured /etc/krb5.conf for IPA realm ROCKSTABLE.IT
  34 Cannot connect to the server due to Kerberos error: Major (851968): nicht spezifizierter GSS-Fehlschlag. M?glicherweise stellt der untergeordnete Code weitere Informationen bereit., Minor (2529639066): KDC f?r Realm >>ROCKSTABLE.IT<< kann nicht gefunden werden. Trying with delegate=True     
  35 Second connect with delegate=True also failed: Major (851968): nicht spezifizierter GSS-Fehlschlag. M?glicherweise stellt der untergeordnete Code weitere Informationen bereit., Minor (2529639066): KDC f?r Realm >>ROCKSTABLE.IT<< kann nicht gefunden werden                                     
  36 Installation failed. Rolling back changes.
  37 Unenrolling client from IPA server
  38 Unenrolling host failed: Error obtaining initial credentials: Cannot find KDC for requested realm.
  39 
  40 Removing Kerberos service principals from /etc/krb5.keytab
  41 Disabling client Kerberos and LDAP configurations
  42 Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
  43 Restoring client configuration files
  44 nscd daemon is not installed, skip configuration
  45 nslcd daemon is not installed, skip configuration
  46 Some installation state for ntp has not been restored, see /var/lib/ipa/sysrestore/sysrestore.state
  47 Some installation state has not been restored.
  48 This may cause re-installation to fail.
  49 It should be safe to remove /var/lib/ipa-client/sysrestore.state but it may
  50  mean your system hasn't been restored to its pre-installation state.
  51 Client uninstall complete.
  52 
  53 The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

Okay, the KDC of realm "ROCKSTABLE.IT" cannot be found in the delegating DNS-zone. There is probably something missing.

And it fails again.

Now tryit with new options

--hostname make sure to pick th right hostname
--force-join overwrite existing instance
--force force configuration even if a error occurs, during some of the tests e.g. KDC not found

   1 root@secl /etc # ipa-client-install \
   2         --hostname="secl.2a.rockstable.it" \
   3         --force-join --force
   4 This program will set up FreeIPA client.                           
   5 Version 4.7.2                                               
   6                       
   7 WARNING: conflicting time&date synchronization service 'ntp' will be disabled
   8 in favor of chronyd                                       
   9                                                            
  10 Discovery was successful!                                   
  11 Client hostname: secl.2a.rockstable.it                      
  12 Realm: ROCKSTABLE.IT                                               
  13 DNS Domain: 2a.rockstable.it                                 
  14 IPA Server: ipa2.2a.rockstable.it                                                          
  15 BaseDN: dc=rockstable,dc=it                                 
  16                                                             
  17 Continue to configure the system with these values? [no]: yes 
  18 Synchronizing time                                                     
  19 No SRV records of NTP servers found and no NTP server or pool address was provided.
  20 Using default chrony configuration.                           
  21 Attempting to sync time with chronyc.                              
  22 Time synchronization was successful.                             
  23 User authorized to enroll computers: tobias                     
  24 Password for tobias@ROCKSTABLE.IT:                             
  25 Successfully retrieved CA cert                               
  26     Subject:     CN=Certificate Authority,O=ROCKSTABLE.IT         
  27     Issuer:      CN=Certificate Authority,O=ROCKSTABLE.IT                           
  28     Valid From:  2020-09-24 11:52:29                        
  29     Valid Until: 2040-09-24 11:52:29                       
  30                                                                       
  31 Enrolled in IPA realm ROCKSTABLE.IT                           
  32 Created /etc/ipa/default.conf                                 
  33 Configured sudoers in /etc/nsswitch.conf                    
  34 Configured /etc/sssd/sssd.conf
  35 Configured /etc/krb5.conf for IPA realm ROCKSTABLE.IT
  36 Systemwide CA database updated.         
  37 Hostname (secl.2a.rockstable.it) does not have A/AAAA record.
  38 Incorrect reverse record(s):
  39 172.18.128.9 is pointing to secl.2a.rockstable.it.2a.rockstable.it. instead of secl.2a.rockstable.it.
  40 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
  41 Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub                          
  42 Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub                   
  43 SSSD enabled           
  44 Configured /etc/openldap/ldap.conf                       
  45 Configured /etc/ssh/ssh_config                                         
  46 Configured /etc/ssh/sshd_config                                        
  47 Configuring 2a.rockstable.it as NIS domain.
  48 Client configuration complete.       
  49 The ipa-client-install command was successful

Okay, we're in for the moment. But the problem with the delegating zone is still there.

Configurations

Services

Misc

Navigation